Product Reviews

Manage Server Infrastructure with Netwrix Auditor 5.0

The new auditing suite offers extensive reporting tools covering critical system components and platforms.

• By Derek Schauland
• 09/30/2013

Auditing your network is somewhat of a double-edged sword. It's a necessary task that you should perform regularly. Routine reviews and management of your environment are critical to ensuring security, availability and compliance, but they're also time-consuming and complex.

The new Netwrix Auditor 5.0, released by Netwrix Corp. in August, aims to ease that process across the gamut of components of your information infrastructure. It's available to cover individual components of your infrastructure, but the complete offering is bundled in what the company calls the Netwrix Auditor Enterprise Suite. Netwrix Auditor 5.0 can manage the most widely used elements of a server-based infrastructure, including Active Directory, Active Directory Object Restore, EMC VNX/VNXe/Celera, Microsoft Exchange Server, file servers, generic events, Group Policy, inactive users, NetApp filer, password expiration alerting, SQL Server, user session activity, the VMware stack and, of course, Windows Server.

After reviewing the new release, I recommend the enterprise suite for IT organizations that want a single tool for a wide spectrum of system-auditing requirements.

Installation and Configuration
Installation was a fairly straightforward process. It did require some Windows configuration changes in my Windows Server 2012 test environment, but these were fairly minor. You must have the Microsoft .NET Framework 3.5 and the IIS roles (and associated features) to get everything working. You'll also need SQL Server Reporting Services (SSRS), which is the default reporting tool used by Netwrix Auditor 5.0.

Once Windows is configured, you can begin installing the components of Netwrix Auditor 5.0 you need (see Figure 1). Note that the components carry separate license keys, but all come with a 20-day free trial to get you started. Also during the installation, you'll be asked to locate an existing SQL Server instance or download SQL Server 2012 Express. Netwrix Auditor 5.0 will work without issue on SQL Server 2012 Express, however SSRS can't be installed on an Express configuration. If SQL Server 2012 Express is the only SQL configuration you have available for use with Netwrix Auditor 5.0, you'll be unable to configure the reporting pieces.

When configuring the product for this review, I chose to install all of the modules. This ran through a script to load the MSI files for each component one right after the next with little interaction. Initial configuration takes place when the nodes to be audited are configured within the console.

In addition to auditable components, Netwrix Auditor 5.0 can install a lightweight agent to help in collecting information. Even though the agent needs to be installed, the collection is up to 100 times more accurate in data collection than audits performed without the agent.

One thing I found when initially navigating around Windows to locate the components of the product is that each component displays a Start screen tile in Windows Server 2012, but each of these tiles points back to the administration console (see Figure 2). To chew up less Start screen real estate and add only one Netwrix Auditor 5.0 console might have been smoother, but the other tiles can be removed by the administrator.

Computer objects for audit are designed to be configured by role, where all of the like items that hold a role can be configured as targets for an audit. For example, when creating a computer management object for Active Directory, you might also add Inactive Passwords, Group Policy, and Password Expiration Alerting to the group of systems being audited for Active Directory, as these things are all tightly integrated with Active Directory. When doing so, you'll notice Exchange gets lumped into that group and can be added. If Exchange is running on a domain controller, then it would make sense to add it here, but as this is not a best practice, I'd keep Exchange separate from the Active Directory functions.

Auditing Active Directory
Because Active Directory is one of the biggest underlying pieces in any Windows environment, I thought it would be appropriate to start there. Being able to determine changes and actions within Active Directory is included in Netwrix Auditor 5.0 but can be difficult (or at least a good amount of work) to manage using only the included tools. Netwrix Auditor 5.0 works with the auditing settings for Active Directory to produce usable information to show a clearer picture of what's happening.

For example, say your organization has added three new Active Directory junior administrators to the staff to assist in user onboarding and management of new objects for the duration of a massive hiring project. Because the completion date is in three months and there are many support cases to get through, the help is certainly a good idea. But bringing new employees in to work with Active Directory is a bit of a touchy issue, as it's one of the most important services around. Netwrix Auditor 5.0 can help keep track of other administrators adding, modifying and removing objects. Similar situations can be found for working with Exchange and SQL Server. In many organizations these are the most critical services. Monitoring them and ensuring they're accessible can keep your environment clean -- and keep you in a job.

To get Active Directory information using Netwrix Auditor 5.0, complete the following steps:

1. Open the Network Auditor console
2. Select Managed Objects from the navigation pane
3. Select Domain as the managed object and click Next
4. Select or specify the default process­ing account the audit should be run with and click Next
5. Specify the e-mail settings for alerts and reporting configuration, including:
   • Mail server
   • Port number
   • Sender address
   • Authentication information (if required)
   • SSL certificate information (if required)
6. Specify the managed domain name and the data processing account for all items using this managed object and click Next
7. Select the target systems that should be included in this managed object (note that this is where the types of audits are selected, including but not limited to Active Directory, Group Policy, file servers and SQL Servers)
8. If your environment supports SSRS, you can enable and configure reporting for audits performed (I'll cover more information about reporting configuration later on)
9. Configure state in time reports for audits that take snapshots of data to produce scheduled reports of data captured
10. Choose a data collection method, and whether to use a lightweight agent
11. Configure the audit in target-environment settings; using the automatic setting will enable necessary audit settings for the object type you previously selected
12. Select additional options if desired, including:
    • Originating workstation -- track audit information on the originating workstation
    • Group membership -- collect the group membership information for users making changes to Active Directory
    (Note: Some of these options cause writes to the security logs. Depending on the configuration of the logs, this might cause collected information to be overwritten as space is needed before completing the final configuration steps.)
13. Specify the e-mail address to deliver the summary reports to and click Next
14. Select any Real-Time Alerts (see Figure 3) to enable for the audits and click Next
15. Review the settings for the managed object and click finish to complete the configuration

Auditing other objects can be configured with similar steps to configuring the audit of Active Directory. Select another object type at the beginning of the Managed Object wizard. The settings configurable for each type of object will change to meet the needs of the object type.

Reporting and Alerts
Reporting for Netwrix Auditor 5.0 relies on SSRS, which requires SQL Server Standard Edition or greater. As I explained earlier, using SQL Server Express won't provide reporting information (unless you use the SQL Server 2012 Express with Advanced Services download option). Audit information can still be collected, but reporting will not be enabled if this edition of SQL Server is used. Without reporting enabled, getting information extracted from the system is extremely difficult. Subscriptions can be used to receive some information via e-mail, but getting reporting configured will help the application function more optimally.

Install-WindowsFeature Net-framework-core –source d:\sources\sxs

Monitoring actions directly on computers can be accomplished by capturing "video" of a session on specified computers. For example, if you have a set of machines that are used by the general public in a business center or computer lab, it might be a good idea to monitor the interactive sessions. The user will be notified when monitoring begins and he can choose whether to use the monitored system. This will help keep track of what's going on during interactive usage.

Because my testing environment doesn't include VMware or Exchange servers, I was un able to test these auditing features, but if they operate with the ease of use of the other components in the suite, getting up and running with these should not be too difficult at all.

Auditing is generally a rather difficult task, especially if done manually. All of the many details you need to consider and remember are taken care of by Netwrix Auditor 5.0. When systems are grouped into functional roles for auditing the tool becomes easier to manage, but without groups it could get a bit unwieldy. That would be something to test and understand before deploying the solution into production. Understanding the overall configuration and how it will work in your environment is something that might make or break the toolset for a lot of organizations. Spending time in a lab and understanding how the items can be displayed and configured will help reduce your overall learning curve.

Editor's note: This review has been corrected to note that while SQL Server Express does not include reporting capabilities, Microsoft does offer a "SQL Server 2012 Express with Advanced Services" download option, which includes basic SSRS capabilities.